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Critical Infrastructure Information Disclosure and 
Homeland Security 



Summary 

Critical infrastructures have been defined as those systems and assets so vital 
to the United States that the incapacity of such systems and assets would have a 
debilitating impact on the United States. One of the findings of the President’s 
Commission on Critical Infrastructure Protection, established by President Clinton 
in 1996, was the need for the federal government and owners and operators of the 
nation’s critical infrastructures to share information on vulnerabilities and threats. 
However, the Commission noted that owners and operators are reluctant to share 
confidential business information, and the government is reluctant to share 
information that might compromise intelligence sources or investigations. Among 
the strategies to promote information sharing was a proposal to exempt critical 
infrastructure information from disclosure under the Freedom of Information Act. 

The Freedom of Information Act (FOIA) was passed to ensure by citizen access 
to government information. Nine categories of information may be exempted from 
disclosure. Three of the nine exemptions provide possible protection against the 
release of critical infrastructure information: exemption 1 (national security 
information); exemption 3 (information exempted by statute); and exemption 4 
(confidential business information). Congress has considered several proposals to 
exempt critical infrastructure information from FOIA. Generally, the legislation has 
created an exemption 3 statute, or adopted the exemption 4 D.C. Circuit standard. 

Prior to passage of the Homeland Security Act (P.L. 107-296), the House (H.R. 
5005) and Senate (S . 2452) bills differed significantly on language providing a FOIA 
exemption. Differences included the type of information covered and exempted from 
FOIA; the scope of the protections provided; the authorized uses or disclosures; the 
permissibility of disclosures of related information by other agencies; immunity from 
civil liability; preemption; and criminal penalties. The Homeland Security Act (P.L. 
107-296, section 214 ) provisions regarding the exemption of critical infrastructure 
information from FOIA adopted the House language in its entirety. 

Public interest groups question the necessity of a FOIA exemption suggesting 
that existing FOIA exemptions provide sufficient protections.. They also argued that 
the House language (which passed) was too broad and would allow a wider range of 
information to be protected (including information previously available under FOIA). 
They favored the more limited protections proposed in the S. 2452. Public interest 
groups also expressed concern that the provision which bars use of the protected 
information in civil actions would shield owners and operators from liability under 
antitrust, tort, tax, civil rights, environmental, labor, consumer protection, and health 
and safety laws. Owners and operators of critical infrastructures insisted that current 
law did not provide the certainty of protection needed. While they viewed the Senate 
language as a workable compromise, they favored the protections in H.R. 5005. 
Compelling arguments existed on both sides of the debate for and against exempting 
critical infrastructure information from the Freedom of Information Act. S. 6 
introduced in the 108 th Congress, resurrects S. 2452 (107 th Congress). This report 
will be updated as warranted. 
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Critical Infrastructure Information Disclosure 
and Homeland Security 



Introduction and Background 

Leading up to the passage of the Homeland Security Act of 2002 (P.L. 107-296), 
a debate ensued regarding the exemption of critical infrastructure information from 
the Freedom of Information Act, 5 U.S.C. § 552. Both the House and Senate 
versions of the Homeland Security Act (H.R. 5005 and S. 2452, respectively) 
contained language exempting such information, but the two versions were 
significantly different. Final passage of the Act included the House language 
(sections 211 - 215 of P.L. 107-296). This report discusses the differences in 
language and some of the arguments and concerns expressed by both supporters and 
critics of the exemption. 

Certain socio-economic activities are vital to the day-to-day functioning and 
security of the country; for example, transportation of goods and people, 
communications, banking and finance, and the supply of electricity and water. These 
activities and services have been referred to as components of the nation’s critical 
infrastructure. Domestic security and our ability to monitor, deter, and respond to 
outside hostile acts also depend on some of these activities as well as other more 
specialized activities like intelligence gathering, law enforcement, and military 
forces. Serious disruption in these activities and capabilities could have a major 
impact on the country’s well-being. 

In July 1996, President Clinton established the President’s Commission on 
Critical Infrastructure Protection (PCCIP). 1 The Commission was tasked with 
assessing the vulnerabilities of the country’s critical infrastructures and proposing a 
strategy for protecting them. In its final 1997 report, 2 the Commission stated that the 
“...two-way sharing [of] information is indispensable to infrastructure assurance,” 
and that “increasing the sharing of strategic information within each infrastructure, 
across different sectors, and between sectors and the government will greatly assist 
efforts of owners and operators to identify their vulnerabilities and acquire tools 
needed for protection.” According to the Commission, the exchange of information 
is also necessary to develop an analytic capability to examine information about 
incidents, vulnerabilities, and other intelligence information to determine whether 
events are related and can be used possibly to recognize or predict an attack. 



1 Executive Order 13010 — Critical Infrastructure Protection. Federal Register, July 17, 
1996. Vol. 61, No. 138. pp. 37347-37350. 

2 Critical Foundations: Protecting America’s Infrastructures. The Report of the President’s 
Commission on Critical Infrastructure Protection. Washington, D.C. October, 1997. 
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The Commission also noted that there is a reluctance on the part of the private 
sector and the government to share information related to vulnerabilities or incidents 
needed to plan for and effect adequate protections. The private sector is reluctant to 
submit information to the government related to vulnerabilities or incidents that 
might damage its reputation, weaken its competitive position, lead to costly 
investigations, be used inappropriately, or expose it to liability as a result of 
disclosure by the government of confidential business information. The government 
is reluctant to disclose threat information that might compromise intelligence 
activities or investigations. 

The first objective of the Commission’s recommended Strategy for Action was 
to promote a partnership between government and infrastructure owners and 
operators that would increase the sharing of information relating to infrastructure 
threats, vulnerabilities, and interdependencies. The Commission proposed 
developing an Information Sharing and Analysis Center (ISAC) that would consist 
of government and private sector representatives working together to receive 
information from all sources, analyze it, draw conclusions about vulnerabilities or 
incidents within the infrastructures, and inform government and private sector users. 
It also recognized that, in order to facilitate the exchange of information, the private 
sector would need assurances that its confidential information would be protected. 
The Commission noted that this might require that a legal vehicle be established 
within the critical infrastructure information sharing mechanism that would protect 
confidential information, and examined the ramifications of different approaches and 
strategies related to the federal government’ s protection of private sector information. 
It briefly discussed some pros and cons associated with the creation of a FOIA 
exemption 3 statute for critical infrastructure information. Under exemption 3 of the 
Freedom of Information Act (FOIA), 5 U.S.C. 552, information protected from 
disclosure under other statutes is also exempt from public disclosure under FOIA. 3 

In response to the Commission’s report, President Clinton released Presidential 
Decision Directive No. 63 (PDD-63). 4 The Directive instructed the National 
Coordinator for Security, Infrastructure Protection and Counter-Terrorism and other 
government officials to consult with private sector owners and operators of critical 
infrastructures, and encourage the creation of a private sector information analysis 
and sharing center as envisaged by the PCCIP. Although the Directive did not 
address FOIA explicitly, it did direct the National Coordinator to undertake studies 
to examine: liability issues arising from participation by private sector companies in 
the information sharing process; existing legislative impediments to information 
sharing with an eye toward removing those impediments; and the improved 
protection, including secure dissemination of industry trade secrets, of other 
confidential business data, law enforcement information and evidentiary material, 
classified national security information, unclassified material disclosing 



3 Exemption 3 exempts from disclosure information specifically exempted by statute, as 
long as the statute leaves no discretion on disclosure and that the statute specifies particular 
criteria for withholding or refers to particular types of matters to be withheld. 5 U.S.C. § 
552(b)(3). See the next section of this report for further discussion. 

4 The White House, Protecting America’s Critical Infrastructures: Presidential Decision 
Directive 63 (May 1998). Available at [http://www.ciao.gov/resource/paper598.pdf]. 
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vulnerabilities of privately owned infrastructures and apparently innocuous 
information that, in the aggregate, would be imprudent to disclose. The Clinton 
Administration, however, never adopted a formal position on the desirability of an 
exemption to FOIA or the necessity for any additional confidentiality protections. 

In connection with the implementation of PDD-63, a number of industrial 
sectors which own and/or operate critical infrastructures formed ISACs, and entered 
into arrangements with the federal government to share information. However, the 
General Accounting Office reported in April 2001, that very little or no formalized 
flow of information has occurred from the private sector to the federal government. 5 
According to the Director of the National Infrastructure Protection Center, the 
organization with which industry is to share information, one of the reasons for this 
is the uncertainty regarding FOIA exemptions. 6 Similarly, the Partnership for Critical 
Infrastructure Security, a cross-industry group formed to facilitate communication 
among industry sectors, has stated that it is not clear that any of the existing FOIA 
exemptions provide the certainty of protection that many companies require before 
disclosing threat and vulnerability information to the government. 7 

In the 106 th Congress, both H.R. 4246 (Davis/Moran) and S. 3188 (Kyi) 
included an exemption from FOIA for cyber security information voluntarily 
provided to the federal government, and prohibited the information from being used, 
by either the federal government or a third party, in any civil action. 8 Neither bill was 
reported out of committee. 

During the 107 th Congress, two bills were introduced with many of the same 
provisions: H.R. 2435 (Davis) and S. 1456 (Bennett/Kyl) would have exempted 
information voluntarily submitted to the federal government in connection with 
critical infrastructure protection from FOIA, 9 and provided protection against civil 
action. Both bills remained in committee. In an effort to reconcile the two bills, S. 
1456 was modified, taking some of the House language. The rewritten bill, however, 
was never introduced. The Bush Administration offered qualified support for both 



5 Critical Infrastructure Protection. Significant Challenges in Developing National 
Capabilities. United States General Accounting Office. GAO-01-323. April 2001. See 
Chapter 4. 

6 Id. Appendix 1, p.99. It should be noted that, according to the GAO, another reason the 
private sector has not shared information with the government is the lack of agreement on 
what type of information is needed. 

7 Partnership for Critical Infrastructure Protection. Working Group 3. Public Policy White 
Paper, p. 5. Available at [http://www.pcis.org/WG3/WG-3_Public_Policy_WP.pdf]. 

8 See CRS Report RL30153, Critical Infrastructures: Background and Early 
Implemen tation of PDD-63. 

9 The Senate bill expanded the type of information to be protected to include information 
related to the physical security of critical infrastructures, referring to protected information 
as “critical infrastructure information,” specified the agencies covered by the legislation, and 
prescribed how the information may be used. 
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bills. 10 In President Bush’s initial proposal to establish a new Department of 
Homeland Security, part of which proposed establishing a critical infrastructure 
protection function, a FOIA exemption was included for information held by the 
Department. Subsequently, both the House and Senate bills establishing the new 
Department (H.R. 5005 and S. 2452, respectively) included more detailed language 
exempting critical infrastructure information from FOIA. The House language also 
offered more extensive protections: see Legislative Responses, below. 



Freedom of Information Act 

In 1966, during floor debate on passage of the Freedom of Information Act 
(FOIA), 11 Representative Rumsfeld quoted James Madison when he said, 

Knowledge will forever govern ignorance. And a people who mean to be 
their own governors, must arm themselves with the power knowledge 
gives. A popular government without popular information or the means 
of acquiring it, is but a prologue to a farce or a tragedy, or perhaps both. 12 

The sentiments expressed by Madison in 1822 are prescient today. The populace 
desires knowledge about the activities of its government in order to ensure 
accountability and oversight. The government desires information from owners and 
operators of critical infrastructures in order to protect persons and assets in the war 
on terrorism. The terrorist attacks of September 1 1 have prompted a reevaluation of 
how to balance public access to information with the need for safety and security. 

The federal government, since its beginnings, has delegated to agency heads the 
basic authority to control the papers and documents of their departments. Through 
the Housekeeping Statute of 1789, federal agencies have kept control of the 
disclosure of their files. 13 The Administrative Procedure Act (APA) of 1946 had a 
slight impact upon departmental control of agency information. 14 Instances were 
documented, however, where both the Housekeeping Statute and the Administrative 
Procedure Act had been used as excuses for withholding information, and concern 
mounted that the APA had become a loophole for agency secrecy permitting agency 
heads to exercise broad, unrestrained powers of a discretionary nature. The 
Housekeeping Statute was amended to clarify that it does not authorize withholding 



10 White House Official Outlines Cyber Security Initiatives. Maureen Sirhal. National 
Journal’s Technology Daily. January 25, 2002. 

n 5U.S.C. §552 etseq. 

12 James Madison, 1822, quoted by Rep. Rumsfeld in House debate on passage of Freedom 
of Information Act, 1 14 Cong. Rec. 13, 654 (1966). 

13 “The head of an Executive department or military department may prescribe regulations 
for the government of his department, the conduct of its employees, the distribution and 
performance of its business, and the custody, use, and preservation of its records, papers, 
and property. This section does not authorize withholding information from the public or 
limiting the availability of records to the public.” 5 U.S.C. § 301 . 

14 60 Stat. 238. 
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information from the public or limiting the availability of records to the public. The 
amendment of the Housekeeping Statute did not produce the results sought by 
advocates of greater public access to public information. The House Government 
Information S ubcommittee proposed a freedom of information bill that created a right 
of any person to use the courts to enforce the right of access to federal information. 
Although the proposal was well received by the press, federal agencies were resistant. 
The Senate passed S. 1160 in 1965, the House in 1966, and the Freedom of 
Information Act (FOIA) was signed into law by President Johnson on July 4, 1966. 
The FOIA was subsequently amended in 1974, 1986, and 1996 for several reasons: 
ambiguity in the text and legislative history; agency and Department of Justice 
resistance to broader disclosure; increased oversight by Congress; court 
interpretations of the statute and its procedural requirements and exemptions; time 
delays by agencies in responding to requests for access to information and delaying 
tactics by agencies in litigation; to clarify the scope of the exemptions in response to 
Supreme Court decisions interpreting the Act’s provisions; and to accommodate 
technological advances related to the methods prescribed for public access. 

The purpose of the Freedom of Information Act (FOIA) was to ensure by statute 
citizen access to government information. The FOIA establishes for any 
person — corporate or individual, regardless of nationality — presumptive access to 
existing, unpublished agency records on any topic. The law specifies nine categories 
of information that may be exempted from the rule of disclosure. The exemptions 
permit, rather than require, the withholding of the requested information. Records 
which are not exempt under one or more of the Act’s nine exemptions must be made 
available. If a record has some exempt material, the Act provides that any reasonably 
segregable portion of the record must be provided to any person requesting such 
record after deletion of the portions which are exempt. Disputes over the 
accessibility of requested records may be reviewed in federal court. Fees for search, 
review, or copying of materials may be imposed; also, for some types of requesters, 
fees may be reduced or waived. The FOIA was amended in 1996 to provide for 
public access to information in an electronic form or format. In 2001, agency annual 
reports indicated that they received approximately 1.9 million FOIA requests. 

With respect to the Freedom of Information Act, three of the nine exemptions 
from public disclosure provide possible protections against the release of homeland 
security and critical infrastructure information: exemption 1 (national security 
information), exemption 3 (information exempted by statute), and exemption 4 
(confidential business information). 15 

FOIA Exemption 1 - National Security Information 

Exemption 1 of the FOIA protects from disclosure national security information 
concerning the national defense or foreign policy, provided that it has been properly 
classified in accordance with the substantive and procedural requirements of an 
executive order. 16 As of October 14, 1995, the executive order in effect is Executive 



15 See 5 U.S.C. § 552(b). 

16 5 U.S.C. § 552(b)(1). 
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Order 12,958 issued by President Clinton ( and amended in 1999 by Executive Order 
13, 142). 17 Section 1.5 of the order specifies the types of information that may be 
considered for classification: military plans, weapons systems, or operations; foreign 
government information; intelligence activities, sources or methods, or cryptology; 
foreign relations or foreign activities, including confidential sources; scientific, 
technological, or economic matters relating to national security; U.S. government 
programs for safeguarding nuclear materials and facilities; or vulnerabilities or 
capabilities of systems, installations, projects, or plans relating to national security. 
The categories of information that may be classified seemingly appear broad enough 
to include homeland security information concerning critical infrastructures. Under 
E.0. 12,958 information may not be classified unless “its disclosure reasonably could 
be expected to cause damage to the national security.” 18 

On March 19, 2002, the White House Chief of Staff issued a directive to the 
heads of all federal agencies addressing the need to protect information concerning 
weapons of mass destruction and other sensitive homeland security-related 
information. 19 The implementing guidance for the directive concerns sensitive 
homeland security information that is currently classified, and previously unclassified 
or declassified information. 20 The guidance provides that with respect to such 
information currently classified, the classified status of such information should be 
maintained in accordance with Executive Order 12,958. This includes extending the 
duration of classification as well as exempting such information from automatic 
declassification as appropriate. With respect to previously unclassified or 
declassified information concerning weapons of mass destruction and other sensitive 
homeland security-related information, the implementing guidance provides that, to 
the extent it has never been publicly disclosed under proper authority, it may be 
classified or reclassified pursuant to Executive Order 12,958. If the information has 
been subject to a previous request for access, such as a FOIA request, classification 
or reclassification is subject to the special requirements of the executive order. 

Section 792 of H.R. 5005, as passed by the House, directed the President to 
prescribe and implement procedures applicable to all federal agencies to share 
relevant, appropriate homeland security information among federal agencies, 
including the Department of Homeland Security, and with appropriate state and local 
personnel; to identify and safeguard sensitive, unclassified homeland security 
information; to determine whether, how, and to what extent to remove classified 
homeland security information, and to determine with whom such homeland security 
information should be shared after such classified information is removed. H.R. 



17 3 C.F.R. 333 (1996), reprinted in 50 U.S.C. § 435 note. 

18 Exec. Order No. 12.958, § 1.2(a)(4). 

19 See White House Memorandum for Heads of Executive Departments and Agencies 
Concerning Safeguarding Information Regarding Weapons of Mass Destruction and Other 
Sensitive Documents Related to Homeland Security (Mar. 19, 2002); reprinted in FOIA Post 
(posted 3/21/02). 

20 See Memorandum from Acting Director of Information Security Oversight Office and Co- 
Directors of Office of Information and Privacy to Departments and Agencies (March 31, 
2002); reprinted in FOIA Post (posted 3/21/02). 
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5005 specifically stated that the substantive requirements for classification are not 
changed. S. 2452, agreed to by the Senate Governmental Affairs Committee on July 
25, 2002, did not have a parallel provision. The House language prevailed (in 
Section 982 of P.L. 107-296). 

FOIA Exemption 3 - Information Exempt by Statute 

Under exemption 3 of the FOIA, information protected from disclosure under 
other statutes is also exempt from public disclosure. 21 Exemption 3 provides that the 
FOIA does not apply to matters that are: 

specifically exempted from disclosure by statute . . . provided that such 
statute (A) requires that the matters be withheld from the public in such a 
manner as to leave no discretion on the issue, or (B) establishes particular 
criteria for withholding or refers to particular types of matters to be 
withheld. 22 

Exemption 3 allows the withholding of information prohibited from disclosure by 
another statute only if the other statute meets any one of the three criteria: (1) it 
requires that the records be withheld ( i.e . , no agency discretion); (2) grants discretion 
on whether to withhold but provides specific criteria to guide the exercise of that 
discretion; or (3) describes with sufficient specificity the types of records to be 
withheld. To support an exemption 3 claim, the information requested must fit 
within a category of information that the statute authorizes to be withheld. As with 
all FOIA exemptions, the government bears the burden of proving that requested 
records are properly withheld. Numerous statutes have been held to qualify as 
exemption 3 statutes under the exemption’s first subpart - statutes that require 
information to be withheld and leave the agency no discretion. Several statutes have 
failed to qualify under exemption 3 because too much discretion was vested in the 
agency, or because the statute lacked specificity regarding the records to be 
withheld. 23 Unlike other FOIA exemptions, if the information requested under FOIA 
meets the withholding criteria of exemption 3, the information must be withheld. 

Congress has considered a number of proposals that address the disclosure 
under FOIA of cyber security information, of information maintained by the 
Department of Homeland Security, and of critical infrastructure information 
voluntarily submitted to the Department of Homeland Security. Generally, the 
legislation has specifically exempted the covered information from disclosure under 
FOIA, in effect creating an exemption 3 statute for purposes of FOIA. 



21 5 U.S.C. § 552(b)(3). 

22 5 U.S.C. § 552(b)(3). 

23 See CRS Congressional Distribution Memorandum, American Law Division, Freedom of 
Information Act: Statutes Invoked under Exemption 3 by Gina Stevens (July 11, 2002) 
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FOIA Exemption 4 - Confidential Business Information 

Exemption 4 of FOIA exempts from disclosure “trade secrets and commercial 
or financial information obtained from a person and privileged or confidential.” 24 
The latter category of information (commercial information that is privileged or 
confidential) is relevant to the issue of the federal government’ s protection of private 
sector critical infrastructures information. To fall within this second category of 
exemption 4, the information must satisfy three criteria. It must be: a) commercial 
or financial; b) obtained from a person; and c) confidential or privileged. The D.C. 
Circuit has held that the terms “commercial or financial” should be given their 
ordinary meaning, and that records are commercial if the submitter has a 
“commercial interest” in them. 25 The second criteria, “obtained from a person,” 
refers to a wide range of entities. 26 However, information generated by the federal 
government is not “obtained from a person,” and as a result is excluded from 
exemption 4's coverage. 27 

Most exemption 4 cases have involved a dispute over whether the information 
was “confidential.” In 1974, the D.C. Circuit in National Parks and Conservation 
Association v. Morton , held that the test for confidentiality was an objective one. 28 
It held that neither the fact that a submitter would not customarily make the 
information public, nor an agency’s promises of confidentiality were enough to 
justify confidentiality. National Parks enunciated a two-part test: commercial 
information is confidential “if disclosure of the information is likely to have either 
of the following effects: (1) to impair the government’s ability to obtain necessary 
information in the future; or (2) to cause substantial harm to the competitive position 
of the person from whom the information was obtained.” 29 These criteria are 
commonly referred to as Test 1 and Test 2. 30 

In 1992, in Critical Mass Energy Project v. NRC, 31 after examining arguments 
in favor of overturning National Parks, the D.C. Circuit reaffirmed application of the 
National Parks test based on the principle of stare decisis - which counsels against 
overruling established precedent. The plaintiff was seeking reports which a utility 



24 5 U.S.C. § 552(b)(4). 

~ Public Citizen Health Research Group v. FDA, 704 F.2d 1280, 1290 (D.C. Cir. 1983). 

26 See, Ncidler v. FD1C, 92 F.3d 93, 95 (2d Cir. 1996)(term “person” includes “individual, 
partnership, corporation, association, or public or private organization other than an agency” 
(quoting definition found in Administrative Procedure Act, 5 U.S.C. § 551(2)). 

27 See, Allnet Communications Servs. v. FCC, 800 F. Supp. 984, 988 (D.D.C. 1992). 

28 498 F.2d 765 (D.C. Cir. 1974). 

29 Id. at 770. 

30 See also, Niagara Power Corp. v. United States Department of Energy, 169 F.3d 16 (D.C. 
Cir. 1999)(court held that material fact existed as to whether disclosure of fuel consumption 
and power generation figures provided pursuant to statute would impair agency’ s ability to 
collect information, and whether disclosure was likely to cause plants substantial harm). 

31 975 F.2d 871, 879-80 (D.C. Cir. 1992 ){en banc){ “Critical Mass II”), cert, denied, 1 13 S. 
Ct. 1579 (1993). 
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industry group prepared and gave voluntarily to the NRC. The agency did, however, 
have the authority to compel submission. The full Circuit Court of Appeals clarified 
the scope and application of the National Parks test. The court limited its application 
“to the category of cases to which [they were] first applied; namely those in which 
a FOIA request is made for commercial or financial information a person was obliged 
to furnish to the Government.” 32 The court established a new test for confidentiality 
when the information is submitted voluntarily; 33 the information is exempt from 
disclosure if the submitter can show that it does not customarily release the 
information to the public. 34 Under the Critical Mass decision, one standard (the 
traditional National Parks tests) applies to any information that a submitter “is 
required to supply,” while a broader exemption 4 standard (a new “customary 
treatment” test) applies to any information that is submitted to an agency on a 
voluntary basis. The burden of establishing the submitter’s custom remains with the 
agency seeking to withhold the records. Applying the customary treatment test to the 
information at issue (utility industry group reports voluntarily submitted), the D.C. 
Circuit agreed with the district court’s conclusion that the reports were commercial; 
that they were provided to the agency on a voluntary basis; and that the submitter did 
not customarily release them to the public. Thus, the reports were found to be 
confidential and exempt from disclosure under exemption 4. 

The key issue raised by Critical Mass is the distinction between “required” and 
“voluntary” information submissions. In its decision, the court did not expressly 
define the two terms. The Department of Justice has issued policy guidance on the 
distinction between information required and information voluntarily submitted 
under Critical Mass, and has taken the position that the submission of records in 
instances such as the bidding on government contracts is mandatory rather than 
voluntary. 35 The basic principles developed by the Justice Department are that a 
submitter’s voluntary participation in an activity does not determine whether any 
information submission made in connection with that activity is “voluntary;” that 
Critical Mass determinations should be made according to the circumstances of 
information submission; that information submissions can be “required” by a range 
of legal authorities, including informal mandates that call for the submission of 
information as a condition of dealing with the government or of obtaining a 
government benefit; and that the existence of agency authority to require an 
information submission does not automatically mean that the submission is 
“required.” 36 The decision in Critical Mass has generated a great deal of 
commentary. 37 In addition, there are many cases where courts have applied the 



32 Id. at 880. 

33 With respect to critical infrastructure information, the federal government seeks to ensure 
that it is able to obtain the information from the private sector on a voluntary basis. 

34 Id. at 879. 

35 See FOIA Update , Vol. XIV, No. 2, at 3-5 (“OIP Guidance: The Critical Mass Distinction 
Under Exemption 4"). 

36 Id. 

37 See, e.g., Rocco J. Maffei, The Impact of FOIA after Critical Mass, 22 Pub. Cont. L. J. 

(continued...) 
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Critical Mass distinction between voluntary and required submissions. 38 
Nonetheless, the Critical Mass voluntary vs. required standard has not been widely 
adopted by the other circuits that have endorsed the National Parks test. 

Executive Order 12,600 {Predisclosure Notification Proceduresfor Confidential 
Commercial Information), issued in 1987, requires each federal agency to establish 
procedures to notify submitters of confidential commercial information whenever an 
agency “determines that it may be required to disclose” such information under the 
FOIA. 39 The submitter is provided an opportunity to submit objections to the 
proposed disclosure. 40 If the agency decides to release the information over the 
objections of the submitter, the submitter may seek judicial review of the propriety 
of the release, and the courts will entertain a “reverse FOIA” suit to consider the 
confidentiality rights of the submitter. 41 

Another area of concern under exemption 4 jurisprudence is the so-called 
mosaic effect which recognizes that an individual piece of information, which in and 
of itself may not qualify as confidential business information, may be combined with 
other information to cause substantial competitive harm. Private information 
hawkers routinely engage in the business of assembling all of the pieces of 
information. Courts have applied the mosaic effect to prevent the disclosure of 
confidential business information. 42 

As previously noted with regard to critical infrastructure information, the federal 
government seeks to ensure that it is able to obtain information from the private 
sector on a voluntary basis. S. 2452, the Senate version of National Homeland 
Security and Combating Terrorism Act of 2002, would have essentially codified the 



37 (...continued) 

757 (1993); G. Branch Taylor, The Critical Mass Decision: A Dangerous Blow to 
Exemption 4 Litigation, 2 CommLaw Conspectus 133 (1994). 

38 See, e.g.., Lykes v. Bros. S.S. v. Pena, No. 92-2780, slip op. at 8-11 (D.D.C. Sept. 2, 
1993)(“under Critical Mass, submissions that are required to realize the benefits of a 
voluntary program are to be considered mandatory”); Lee v. LDIC, 923 F. Supp. 451, 454 
(S.D.N.Y. 1996)(when documents were “required to be submitted” in order to get 
government approval to merge two banks, court rejects agency’s attempt to nonetheless 
characterize submission as “voluntary”); AGS Computers, Inc. v. United States Dep’t of 
Treasury, No. 92-2714, slip op. at 10 (D.N.J. Sept. 16, 1993)(submitter’s submission of 
documents to agency during a meeting was done voluntarily because there was no 
“controlling statute, regulation, or written order”); Center for Auto Safety v. National 
Highway Traffic Safety Admin., 93 F. Supp. 2d 1 (D.D.C. Feb. 28, 2000), remanded by 
Center for Auto Safety v. National Highway Traffic Safety Admin., 244 F.3d 144 (D.C.Cir. 
Mar. 30, 200 l)(information on airbag systems submitted in response to agency ’ s request was 
a voluntary submission because agency lacked legal authority to enforce its request for 
information). 

39 3 C.F.R. 235 (1988), reprinted in 5 U.S.C. § 552 note. 

40 Exec. Order No. 12,600, § 4. 

41 Lee v. LDIC, 923 F. Supp. 451, 455 (S.D.N.Y. 1996). 

42 See, e.g., Tinken Co. v. U.S. Customs Serive, 491 F. Supp. 557 (D.D.C. 1980). 
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voluntary/required rule from the D.C. Circuit’ s decision in Critical Mass v. NRC, and 
applies it to critical infrastructure information voluntarily submitted by the private 
sector, and not customarily available to the public, to the new Department of 
Homeland Security. Codification of the Critical Mass standard could eliminate 
differences in treatment in the federal courts of confidential business information 
related to critical infrastructure. 



Legislative Responses 

FOIA Exemption in the Administration’s Initial Proposal for 
Homeland Security 

The Bush Administration’s initial legislative proposal establishing the new 
Department of Homeland Security proposed to exempt from disclosure under FOIA 
critical infrastructure information voluntarily submitted to the government by non- 
federal entities. Section 204 of the proposal stated: 

Information provided voluntarily by non-federal entities or individuals that 
relates to infrastructure vulnerabilities or other vulnerabilities to terrorism 
and is or has been in the possession of the Department [of Homeland 
Security] shall not be subject to section 552 of title 5, United States Code. 

This proposed language did not provide additional specificity, and was criticized by 
the FOIA requester community as “casting] a shroud of secrecy over one of the 
Department of Homeland Security’s critical functions, critical infrastructure 
protection.” 43 

FOIA Exemptions in Homeland Security Proposals 

When the President’s legislative proposal was reported out of the House Select 
Committee on Homeland Security as H.R. 5005 (Armey), the Administration’s FOIA 
exemption was modified and included in a separate subtitle (Title VII, Subtitle C, 
sections 721 - 7 24). 44 The Senate Government Affairs Committee, too, voted to add 
a FOIA exemption to its bill S. 2452 (Lieberman, section 198) establishing a 
Department of Homeland Security. The House language prevailed as Title n, 
Subtitle B, Section 214, in P.L 107-296. A brief discussion of the FOIA exemptions 
in these two homeland security bills follows. A comparison of the language 



43 David, Sobel, Electronic Privacy Information Center, Testimony Before House 
Subcommittee on Oversight and Investigation on “Creating the Department of Homeland 
Security: Consideration of Administration’s Proposal.” (July 9, 2002). 

44 On the House floor, two amendments to this section of the bill were offered. Amendment 
No. 24 would have eliminated Subtitle C entirely. Amendment No. 25 would have amended 
the definition of “covered agency” to include not just the Department of Homeland Security, 
but any other agency designated by the Department of Homeland Security or with which the 
Department shares critical infrastructure information. Both amendments failed. 148 Cong. 
Rec. H5845 (July 26, 2002). 
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regarding FOIA exemptions is included in the CRS Report RL31513, Homeland 
Security: Side-By-Side Comparison ofH.R. 5005 and S. 2452, 107th Congress. 

P.L. 107-296, Title II, Subtitle B. 

Section 214 of the Homeland Security Act of 2002 (P.L. 107-269) exempted 
from disclosure under FOIA “critical infrastructure information (including the 
identity of the submitting person or entity) that is voluntarily submitted to a covered 
agency for use by that agency regarding the security of critical infrastructure (as 
defined in the USA PATRIOT Act)..., 45 when accompanied by an express 
statement....” The Homeland Security Act defines critical infrastructure information 
to mean “information not customarily in the public domain and related to the security 
of critical infrastructure or protected systems — 

(A) actual, potential, or threatened interference with, attack on, 
compromise of, or incapacitation of critical infrastructure or protected 
systems by either physical or computer-based attack or other similar 
conduct (including misuse of or unauthorized access to all types of 
communications and data transmission systems) that violates federal, state, 
or local law, harms interstate commerce of the United States, or threatens 
public health and safety; 

(B) the ability of critical infrastructures or protected systems to resist such 
interference, compromise, or incapacitation, including any planned or past 
assessment, projection or estimate of the vulnerability of critical 
infrastructure or a protected system, including security testing, risk 
evaluation thereto, risk management planning, or risk audit; or, 

(C) any planned or past operational problem or solution regarding critical 
infrastructure. ..including repair, recovery, reconstruction, insurance, or 
continuity to the extent it relates to such interference, compromise, or 
incapacitation.” 46 

A “covered agency” is defined as the Department of Homeland Security. The 
submission of critical infrastructure information is considered voluntary if done in 
the absence of the Department of Homeland Security exercising its legal authority 
to compel access to or submission of such information. Information submitted to the 
Securities and Exchange Commission pursuant to section 12 (i) of the Securities and 
Exchange Act of 1934 is explicitly not protected by this provision. Nor is 
information disclosed or written when accompanying the solicitation of an offer or 
a sale of securities, nor if the information is submitted or relied upon as the basis for 
licensing or permitting determinations, or during regulatory proceedings. 



45 “Systems or assets, whether physical or virtual, so vital to the United States that the 
incapacity or destruction of such systems and assets would have a debilitating impact on 
security, national economic security, national public health or safety, or any combination 
of those matters.” P.L. 107-56, section 1016. 

46 



P.L. 107-296, §212(3). 
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Besides exempting from FOIA critical infrastructure information which has 
been submitted voluntarily with the appropriate express statement to the Department 
of Homeland Security, the Homeland Security Act also states that the information 
shall not be subject to any agency rules or judicial doctrine regarding ex parte 
communications with decision making officials. The Act also prohibits such 
information, without the written consent of the person or entity submitting such 
information in good faith, from being used directly by the Department of Homeland 
Security, any other federal, state, or local authority or any third party, in any civil 
action. Nor may the information, without the written consent of the person or entity 
submitting such information, be used or disclosed by any officer or employee of the 
United States for any purpose other than the purposes of the subtitle, except, in the 
furtherance of a criminal investigation or prosecution, or when disclosed to either 
House of Congress, or to the Comptroller General or other authorized General 
Accounting Office official, in the conduct of official business. Furthermore, any 
federal official or employee who knowingly publishes, divulges, discloses, or makes 
known in any manner or to any extent not authorized by law, any protected 
information, is subject to removal, imprisonment up to one year, and fines. If the 
information is disclosed to state or local officials, it may not be used for any purpose 
other than the protection of critical infrastructures, and it may not be disclosed under 
state disclosure laws. The protections afforded protected information do not result 
in waiver of any privileges or protections provided elsewhere in law. Finally, no 
communication of critical infrastructure information to the Department of Homeland 
Security shall be considered to be an action subject to the requirements of the Federal 
Advisory Committee Act. 47 

For information to be considered protected, it must be accompanied with a 
written marking to the effect that “this information is voluntarily submitted to the 
federal government in expectation of protection from disclosure as provided by the 
Critical Infrastructure Information Act of 2002 [the name given to Subtitle B] .” The 
Secretary of the Department of Homeland Security is to establish procedures for 
handling the information once it is received. Only those agency components or 
bureaus, designated by the President or the Secretary of Homeland Security, as 
having a Critical Infrastructure Program may receive critical infrastructure 
information from the Department. 

The above protections for information voluntarily submitted by a person or 
entity to the Department of Homeland Security do not limit or otherwise affect the 
ability of a state, local, or federal government entity, agency or authority, or any third 
party, under applicable law, to obtain critical infrastructure information (including 
any information lawfully and properly disclosed generally and broadly to the public) 
and to use that information in any manner permitted by law. Submittal to the 
government of information or records that are protected from disclosure is not to be 
construed as compliance with any requirement to submit such information to a 



47 The Federal Advisory Committee Act (FACA) requires that the meetings of all federal 
advisory committees serving executive branch entities be open to the public. The FACA 
specifies nine categories of information, similar to those in FOIA, that may be permissively 
relied upon to close advisory committee deliberations. 5 U.S.C. App. 2. 
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federal agency under any other provision of law. Finally, the Act does not expressly 
create a private right of action for enforcement of any provision of the Act. 



S. 2452, Section 198 (107th Congress). 

S. 2452, National Homeland Security and Combating Terrorism Act of 2002, 
as agreed to by the Senate Governmental Affairs Committee on July 25, 2002, 
exempted a “record” pertaining to the vulnerability of and threats to critical 
infrastructure (as defined in the USA PATRIOT Act) furnished voluntarily to the 
Department of Homeland Security from being made available under FOIA. A record 
was covered by the bill if the provider would not customarily make the record 
available to the public. It also required the provider to designate and certify, in a 
manner specified by the Department of Homeland Security, that the record is 
confidential and not customarily made available to the public. 

Unlike the Homeland Security Act (P.L. 107-296), the Senate bill did not 
include a definition of “critical infrastructure information.” However, the bill 
covered “records pertaining to the vulnerability of and threats to critical infrastructure 
(such as attacks, response, and recovery efforts).” 

Under S. 2452 a record is submitted voluntarily if it was submitted to the 
Department of Homeland Security “in the absence of authority of the Department 
requiring that record to be submitted,” and it is not submitted or used to satisfy any 
legal requirement or obligation or to obtain any grant, permit, benefit, or other 
approval from the federal government. 48 

Agencies with which the Department of Homeland Security shares protected 
records were to be bound by the FOIA exemption. FOIA requests for protected 
information were to be referred back to the Department of Homeland Security, and 
the Department was permitted to provide any portion of the record that is reasonably 
segregable from that part of the record which is exempt from disclosure, after 
deleting the protected information. The bill also allowed the provider of a record that 
is furnished voluntarily to the Department of Homeland Security to withdraw the 
confidential designation at any time in a manner specified by the Department. 

S . 2542 allowed an agency which had received independently of the Department 
a record “similar or identical” to that received by the Department, to disclose the 
record under FOIA. The Senate bill did not preempt state or local disclosure laws 
if the state or local authority received the information independent of the Department 
of Homeland Security, nor did it contain any civil liability immunity, or criminal 
penalties. 

The Secretary of the Department of Homeland Security was directed to prescribe 
procedures for: acknowledging the receipt of records furnished voluntarily; the 



48 Benefits include agency forbearance, loans, or reductions or modifications of agency 
penalties or rulings. Benefits do not include warnings, alerts, or other risk analysis offered 
by the Department. 
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certification of records furnished voluntarily as confidential and not customarily 
made available to the public; the care and storage of records furnished voluntarily; 
and the protection and maintenance of the confidentiality of records furnished 
voluntarily. 

Finally, the Senate bill required the Comptroller General to report to Congress 
on the implementation and use of the above protections. The report was to include 
the number of persons in the private sector and the number of state and local agencies 
that furnished records voluntarily under these provisions, the number of requests for 
access granted or denied under these provisions, and any recommendations regarding 
improvements in the collection and analysis of sensitive information related to the 
vulnerabilities of and threats to critical infrastructures. 

In sum, significant differences existed between H.R. 5005 (enacted into law as 
P.L. 107-296) and S. 2452. These differences included the scope of the information 
protection; the type of information covered and exempted from FOIA; the definition 
of a voluntary submission; the other purposes authorized for use or disclosure of the 
information; the disclosure of information with the consent of the submitter; the 
permissibility of disclosures of related information by other agencies; immunity from 
civil liability; preemption; and criminal penalties. 

Issues and Concerns 

The general concerns of the owners and operators of critical infrastructure are 
that the type and breadth of information they are being asked to submit on 
vulnerabilities, incidents, remedies, etc., if made available to competitors or to the 
general public, could harm their public relations, compromise their competitive 
position, expose them to liability, or disclose sensitive information to terrorists and 
others who might wish to disrupt the function of their infrastructure. It was their 
position that crafting a specific exemption to FOIA in statute (i.e., a (b)(3) 
exemption) would provide the greatest legal protections for the information they 
share. They believed that a narrowly tailored (b)(3) exemption would eliminate 
agency discretion to disclose protected information in response to a FOIA request. 
In addition, given the federal government’s need to share sensitive business 
information for homeland security purposes with state and local officials, owners and 
operators also sought federal preemption of state and local disclosure laws. Owners 
and operators were concerned that some of this information could make them subject 
to liability in unforeseen ways. 

A number of public interest groups have expressed (and continue to express) 
their opposition to the protections being applied, particularly those contained in the 
House version. 49 The primary concern is that the type of information exempted from 
FOIA was too broadly defined, and could allow any company claiming to be an 



49 Some of the groups that have expressed concern include the American Civil Liberties 
Union, the Electronic Privacy Information Center, Natural Resources Defense Fund, the 
Society of Professional Journalists, and the U.S. Public Interest Research Group. For a 
sample of the groups that have joined in opposition and their rationales, see 
[http://www.ombwatch.Org/article/articleview/943/l/18/cleanwateraction.org]. 
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owner or operator of a critical infrastructure to voluntarily submit almost any kind 
of information in order to protect the information from disclosure under the FOIA. 
Critics also believe the definition of critical infrastructure adopted from the USA 
PATRIOT Act is too broad. 

The Act also covers information regarding an attack, or similar conduct, that 
violates law or harms interstate commerce. According to one critique, the language 
“or similar conduct” and “harms interstate commerce” is broad and could include 
non-criminal or inadvertent incidents that cause temporary interruption of normal 
business operations. 50 The criticism goes on to state that the purposes for which the 
information may be used (and therefore contributing to the definition of what kind 
of information may be protected) includes analysis, warning, interdependency study, 
recovery, reconstitution, or “other informational purposes.” According to the 
critique, “other informational purposes” covers untold amounts of information, some 
of which may have been previously available to the public. 

These groups also are concerned that information currently collected by various 
agencies and available to the public could now be protected from disclosure if 
submitted to the Department of Homeland Security initially as critical infrastructure 
information. This is particularly an issue in the area of environmental law relating 
to a community’s right to know. 51 Both bills stated that the protections are granted 
“notwithstanding any other provisions of law.” Under current law (the Emergency 
Planning and Community Right-to-Know Act, P.L. 99-499, 42 USC 1 1001-11050), 
facilities handling certain toxic substances in excess of a threshold amount annually 
must report to the Environmental Protection Agency and local officials the maximum 
and average daily amounts of such substances that they had on hand during the 
previous year; the location of such chemicals within the facility; and estimates of 
how much was released into the environment as part of normal handling and 
processing. In addition, in the event of an accidental release above a threshold 
amount, facilities immediately must report the amount released to local officials. 

The 1990 amendments to the Clean Air Act (which were passed in P.L. 101- 
549, Section 301, amending 42 USC 7412) made it the duty of owners and operators 
of facilities producing, processing, handling, or storing certain extremely hazardous 
substances: to identify hazards that may result from releases; to design and maintain 
a safe facility; and to minimize the consequences of accidental releases which do 
occur. To prevent accidental releases, the Clean Air Act requires facilities handling 
such substances to develop “risk management plans.” Among the items included in 
these plans are an accounting of any accidental releases of those substances over the 
previous five years; estimates of the quantities of chemicals that might be released 
in the event of an accident, including a worst-case accident; estimates of the potential 
exposures to affected downwind populations; a program for preventing releases; and 
an emergency response program to protect public health and the environment in the 



50 Problems with S. 1456, Critical Infrastructure Information Act. National Resources 
Defense Council. Although directed at the rewritten version of S. 1456 that was never 
introduced, the language at issue is the same as that proposed in H.R. 5005. The critique can 
be found at [http://www.ombwatch.org/info/cii/nrdcproblems.html]. 

51 See CRS Report RL31530, Chemical Plant Security by Linda-Jo Schierow. 
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event of a release. Under the 1990 law, public disclosure of most of this information 
(which also could be released in response to FOIA requests) is required, but the 
details of the off-site consequence analyses (OCA) for hypothetical accidents are not 
required to be disclosed. In addition, companies may claim confidentiality for some 
submitted information, provided they can support that claim. 

Security concerns arose about the potential utility to terrorists of risk 
management planning data, just as EPA was planning to make the plans widely 
available to the public via the Internet. 52 Convinced of the need for caution, EPA 
agreed not to post OCA data on its website. Nevertheless, the information could be 
obtained electronically using FOIA, and several public interest groups announced that 
they would do so and post the data. In 1999, Congress responded by again amending 
the Clean Air Act. The amended Act exempts OCA data from disclosure under 
FOIA, and directs EPA to limit public disclosure as necessary to reduce risks. EPA 
issued a final regulation on data access on August 4, 2000. 53 It allows the public to 
see paper copies of sensitive OCA information through federal reading rooms, 
approximately one per state, and provides Internet access to the OCA data elements 
that pose the least serious criminal risk. State and local agencies are encouraged to 
provide the public with read-only access to OCA information on local facilities. At 
the federal reading rooms, members of the public may read OCA information for up 
to 10 facilities per calendar month and for all facilities with potential effects in the 
jurisdiction of the local emergency planning committee. State and local officials and 
other members of the public may share OCA information as long as the data are not 
conveyed in the format of sensitive portions of the RMP or any electronic database 
developed by EPA from those sections. 54 A Clinton Administration proposal to 
implement the final rule (66 Federal Register 4021, Jan. 17, 2001) would have 
allowed people to view plans of facilities outside their local area and enhanced access 
for “qualified researchers.” The draft plan was rescinded by the Bush Administration 
(66 Federal Register 15254, Mar. 16, 2001). No further regulatory action has been 
taken to date. 

Critics of the FOIA exemption for critical infrastructure information submitted 
voluntarily with the appropriate express statement are concerned that the 
“notwithstanding any other provision of law” clause could possibly exempt from 
FOIA information about facilities handling potentially dangerous chemicals that is 
currently available under the Emergency Planning and Community Right-to-Know 
Act and the Clean Air Act. 

Some public interest groups are concerned that the breadth of information that 
could be exempted from disclosure, combined with the prohibition on use of critical 



52 During the mid to late 1990s, federal agencies were facilitating electronic public access 
to governmental information in response to congressional directives, such as the Electronic 
Freedom of Information Act, P.L. 104-231, and presidential initiatives, such as “President 
Clinton’ s Environmental Monitoring for Public Access and Community Tracking” program. 

53 65 Federal Register 48 1 07-48 1 33. 

54 EPA Fact Sheet. “Chemical Safety Information, Site Security and Fuels Regulatory Relief 
Act: Public Distribution of Off-Site Consequence Analysis Information.” EPA 550-F00-012, 
Aug. 2000. 
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infrastructure information in any civil suit, could give owners or operators of critical 
infrastructures an “unprecedented immunity” from complying with a variety of laws 
(i.e., antitrust, tort, tax, civil rights, environmental, labor, consumer protection, and 
health and safety laws). Another concern centers on a perceived lack of clarity on 
whether information obtained independently by subpoena, for example, could be used 
to bring civil suit (e.g., would a victim of chemical exposure be precluded from suing 
if information previously submitted to the Department of Homeland Security was 
obtained independently from the company by subpoena). 

Another argument made by the public interest groups is that existing FOIA 
exemptions and case law offer sufficient protections to owner/operators. They cite 
exemption (b)(4), which allows agencies to withhold commercial information that 
is privileged or confidential, if by disclosing that information, the competitive 
position of the provider is harmed or the ability of the government to continue 
receiving that information is impaired. An exemption from FOIA for critical 
infrastructure information, they argue, would promote government secrecy and harm 
public access. 

These groups are also concerned about a provision they say gives the private 
sector the power to determine what information is to be protected, simply by 
including an express statement of protection from disclosure on the submission to the 
federal government. The criminal penalties provided for the unauthorized disclosure 
of protected information are viewed by some groups as essentially an anti- 
whistleblower provision designed to stifle government accountability. Another issue 
raised by the groups is whether a submission of information to the government will 
be treated as voluntary in situations where an agency has not exercised its authority 
to compel submission. Finally, the groups take issue with the provision that 
preempts state and local freedom of information laws. 

The public interest groups concerned with granting specific FOIA exemptions 
have expressed a guarded acceptance of the Senate version. They feel it basically 
puts into statute recent FOIA case law regarding the protections afforded confidential 
information submitted to government agencies under FOIA exemption 4. 55 

Representatives from industry responded to some of these concerns by stating 
that it was not their intent to evade current laws and regulations, but that the extra 
protections are needed before they are willing to voluntarily submit information that 
might be used against them later, either legally or competitively. Under the existing 
law, companies had no assurance that information they share with a government 
agency will be treated confidentially, and agencies are not required to commit to 
confidentiality at the time of disclosure. Agencies are not required to initiate the 
FOIA exemption process until a FOIA request is received. When it is received, the 
agency is asked to defend the information’s confidentiality, and is not required to 
inform the originator if it believes it has enough information to proceed. Industry is 
generally in favor of legislation that accomplishes the goal of encouraging it to 
submit security-related information without fear of public disclosure. 



55 Industry Offers Support for Scaled-Back Senate FOIA Revisions, Inside EPA (July 26, 
2002 ). 
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Representatives from owners and operators have also stated that they favor a narrow 
exemption so as to cover only infrastructure threat and vulnerability information. 56 



Conclusion 

Compelling arguments existed on both sides of the debate for and against 
exempting critical infrastructure information from the Freedom of Information Act. 
However, the Senate bill, S. 2452, never made it to the Senate floor. After the 
November 2002 election, sentiment to pass a Homeland Security Act led to the 
adoption by the Senate of large portions of the House-passed bill. The provisions 
regarding the exemption of Critical Infrastructure Information from FOIA adopted 
the House language in total. Public interest groups continue to criticize the language. 
S. 6 introduced January 7, 2003, in the 108 th Congress, and sent to the Senate 
Judiciary Committee, resurrects S. 2452 (107 th Congress) language (Title VIII, 
Subtitle B). 



56 Kenneth C. Watson, President Partnership for Critical Infrastructure Security, Testimony 
Before House Subcommittee on Oversight and Investigation on “Creating the Department 
of Homeland Security: Consideration of Administration’s Proposal.” (July 9, 2002). 




